Cyberattacks: The next healthcare epidemic

A few months ago, I was at a conference and heard a story about a hospital that was hit with a computer virus. The investigation showed it had come from an evil attachment to an email. Once opened, the attachment unleashed a Pandora’s Box of IT horrors. It turned out to have started from an unlikely source. None other than a member of the board opened the attachment in question.

To the gentleman’s credit, he offered to have his story told as a cautionary tale to the rest of us.

The board member was a well-known leader of industry. He ran a very large company, was very successful, and admittedly, knew better than to open an unidentified attachment.

As my mother was fond of saying, “There but for the grace of God go I.” More than a few times I have opened an email and then thought “Oh, no! Did I just let the genie out of the bottle?”

So I started wondering, what makes reasonably intelligent and careful people do foolish things? Does anyone really think a Nigerian prince is going to send them money? What hold does this invisible internet have over us?

We all know better. Yet we all do it.

I still struggle over the fact that healthcare is the number one industry targeted by cyber attackers. I understand the curiosity factor of peaking at a celebrity’s chart, but the majority of us have exceedingly boring medical records.

Then I found out that our personally identifiable information (PII) and EHR data is 50 times as valuable as stolen credit card information! Our medical records are loaded with little pieces of information that help criminals commit identity theft, tax fraud, file fraudulent insurance claims, and falsify prescriptions. But the laws of microeconomics hold true even in criminal behavior – the glut of medical records on the market is driving down the price.

Innovation in criminal behavior

What is shocking to me is how easily we give it away. Phishing is still the number one security challenge for healthcare today.

But now there’s a newer, more sophisticated form of phishing called spear phishing. A hacker targets a specific individual and then sends a text or calls on the phone. The hacker can reference personal or business-related information to lure the victim into a false sense of security. It has become a professional enterprise, and like a master forger, the hacker’s work can be almost indistinguishable from the original.

So I turned to the smartest guy I know when it comes to internet security. Dan Wilson is the head of Hyland’s Application Security group and as always, he had some interesting information to share.

Dan used the principles of psychology 101 to explain combating phishing. Phishing does not rely just on subterfuge; it relies heavily on psychology. Phishers use the art of deception in these emails by designing them to manipulate the recipient into certain emotional states that cause them to act without thinking. It may make the victim feel safe by assuming that the sender is someone they know or can trust. It is normal to trust people that we know. If I think I know the sender of an email, I am likely to open it.

Phishers also use psychology to capitalize on greed by pretending that there is a chance for reward. No one wants to miss an opportunity. In fact, we often are more afraid of missing out on an opportunity then we are of taking risks.

That’s why we play the lottery. That’s why we go to Las Vegas. And we all know how that turns out.

Additionally, phishers like to make the victim feel fear by pretending that there is a chance for loss or legal trouble. Last week, I had a voicemail from a bank telling me they were going to foreclose on my house. The call shocked me. And while I thought about the threat the call represented, I forgot for a minute that we have already paid off our house.

The voicemail was clearly constructed to push me into a panic. And I will admit for a minute, I was there.

Another psychological trick phishers use is to make the victim feel angry by pretending that the victim has been violated. Making you feel angry is an easy way to manipulate your emotions. It can cause you to act without thinking. Telling you that your credit card has fraudulent charges can cause you to react and provide confidential information.

These feelings can cause you to act instinctively instead of thoughtfully. Your critical thinking and judgment becomes impaired. And that can cause any of us to take the bait even though we know better.

So how do we combat an obviously emotional situation? How do we give our teams the tools they need to override the feeling that they must act before they’ve had a chance to think?

Educate everyone on the plan

Whether talking about individuals or organizations, we all need a plan for how to react to these stressful situations. Hospitals are experts at developing plans to deal with emergencies and traumas, so they’re a great example to look at. Protocols exist to chart the path for what everyone needs to do in the event of an emergency. These plans are based on best practices. When a patient rolls into the Emergency Department, everyone knows exactly what to do – just like they know their ABCs.

We need plans exactly like that to deal with the threat of incursion or data theft. And just like in the Emergency Department, we have to educate everyone on the plan.

The red flags of email

There are a number of email red flags that should make our Spidey senses tingle. Make sure your teams know them by frequently reminding them. A security manager I know has posters around the office as a constant reminder. Another IT director told me he periodically sends out emails as bait to see how many people he can catch with their guards down. The number he catches in his bait trap declines each time.

Systems warning you that your account is about to be locked or deactivated

IT or service providers asking you to validate your credentials or your password

FBI, IRS, [insert government 3-letter agency here] serving you with an audit notification or subpoena

Your CEO or VP or HR asking for a list of names and SSNs for all employees so that they can “verify tax records”

Outthink the enemy

This is a war. And the bad guys are getting smarter.

We have to be smarter than them. We have to be better prepared.

As Dan Wilson likes to say, “Just because a security lesson is obvious to you, does not mean that it is obvious to everybody in your organization.”

Some tips to be proactive about security:

Be suspicious of all emails

Treat poor spelling, grammar, or formatting as a red flag

Don’t open attachments unless you know the sender and were expecting the attachment to be sent to you

If you weren’t expecting an attachment, check with the send via other means (e.g. via phone, in person) before opening it

Think before you click

When it doubt, go to the main site and navigate to the indicated section, rather than using the link in the email

Don’t enable macros, no matter what the document tells you about formatting or encryption

Just when you thought it was safe to go back in the water

The war is not over. In fact, it has really just begun. Now we have ransomware, an evil twist on hacking by blocking an organization’s access to computer systems until it pays a ransom. This is incredibly dangerous when healthcare information is concerned.